{%- set tls_log = salt['pillar.get']('default:OMV_PROFTPD_MODTLS_TLSLOG', '/var/log/proftpd/tls.log') -%}
{%- set tls_protocol = salt['pillar.get']('default:OMV_PROFTPD_MODTLS_TLSPROTOCOL', 'TLSv1.2') -%}
{%- set cert_dir = salt['pillar.get']('default:OMV_SSL_CERTIFICATE_DIR', '/etc/ssl') -%}
{%- set cert_prefix = salt['pillar.get']('default:OMV_SSL_CERTIFICATE_PREFIX', 'openmediavault-') -%}
{%- set tls_verify_client = salt['pillar.get']('default:OMV_PROFTPD_MODTLS_TLSVERIFYCLIENT', 'off') -%}
{%- set tls_renegotiate = salt['pillar.get']('default:OMV_PROFTPD_MODTLS_TLSRENEGOTIATE', 'required off') -%}
LoadModule mod_tls.c
<IfModule mod_tls.c>
  TLSEngine {% if config.enable | to_bool %}on{% else %}off{% endif %}
  TLSLog {{ tls_log }}
  TLSProtocol {{ tls_protocol }}
{%- if config.nosessionreuserequired | to_bool or config.useimplicitssl | to_bool %}
  TLSOptions
{%- if config.nosessionreuserequired | to_bool %} NoSessionReuseRequired{% endif -%}
{%- if config.useimplicitssl | to_bool %} UseImplicitSSL{% endif -%}
{%- endif %}
  TLSRSACertificateFile {{ cert_dir | path_join('certs', cert_prefix ~ config.sslcertificateref ~ '.crt') }}
  TLSRSACertificateKeyFile {{ cert_dir | path_join('private', cert_prefix ~ config.sslcertificateref ~ '.key') }}
  TLSVerifyClient {{ tls_verify_client }}
  TLSRenegotiate {{ tls_renegotiate }}
  TLSRequired {% if config.required | to_bool %}on{% else %}off{% endif %}
{%- if config.extraoptions | length > 0 %}
{{ config.extraoptions | indent(2, True) }}
{%- endif %}
</IfModule>
